Tech Guest Viewpoint: EMV: Why Online Retailers Should Pay Attention
If you’ve got a physical shop in the U.S., chances are you’re well acquainted with the upcoming deadline for getting an EMV card reader: October 1, 2015. And you’re probably also very aware that if you don’t have this device and complete all your compliance steps, you’ll be on the hook for all the painful chargebacks and related costs that come with fraudulent credit card transactions.
However, if you only sell online, do you really need to care about EMV? The short answer: Yep. And that’s because we – along with many payment experts – believe that while the overall net effect of introducing EMV may be positive, it’s also likely to cause an increase in card-not-present (CNP) fraud. Are you prepared?
Fraudsters gonna fraud
Fraud is a huge and lucrative business, and its practitioners adapt their tactics quickly. In addition to fraudsters buying goods and services with stolen credit card info, some growing areas of online fraud include gift card fraud, account takeovers, referral code abuse, and reshipping fraud. Over the years, we’ve seen fraud rings evolve to stay one step ahead as loopholes close.
With computer chips replacing easily skimmable magnetic stripes, the EMV roll-out will make it nearly impossible to counterfeit physical credit cards. However, once that fraud avenue is cut off, fraudsters are likely to refocus their efforts on using stolen credit card numbers and other forms of payment – like gift cards, digital wallets, and stored value – to make fraudulent purchases online.
Card data is still vulnerable
Even with the increased security of EMV, payment card data can still be vulnerable to fraud. In a 2013 whitepaper, FICO warned that insufficient encryption during transmission is still a risk, urging merchants and payment gateways to do more to make sure customer data is safe.
Add to that all of the customer information that has already been exposed via the massive data breaches of recent years, and fraudsters still have swathes of credit card numbers to work with. Not only are there existing criminal networks that provide all of the necessary tools and resources for budding online fraudsters to get started, but the technology used is growing more sophisticated.
Learning from the U.K., Canada, France and Australia
Since 2003, more than 60 countries have rolled out EMV. The U.S. is fairly late to the game, so we can look at fraud trends from other countries to get a hint at what’s to come – and while card present fraud declined significantly across the board, increases in CNP fraud offset some of those gains.
In the U.K., CNP fraud grew by 79% between 2005 (the EMV liability shift) and 2008. France (adopted in 2002) and Australia (2012) both saw CNP fraud climb about 20% in the first few years after the EMV migration. And Canada? A 133% spike in CNP fraud between 2008 and 2013.
How to protect yourself
Now that you know the situation, it’s not too late to start planning ahead for October’s deadline. First, think about how your existing fraud prevention approach would work if you were suddenly dealing with a higher volume of suspicious transactions. How much time do you spend on manual review? What’s your false positive rate? Can you make decisions fast enough to keep your legitimate customers flying smoothly through checkout?
One tool retailers can consider is fraud-detection software that uses machine learning to look at multiple signals to suss out patterns and block bad transactions before they go through. Since fraud patterns are always changing, the most robust machine-learning models are adaptive, updating in real time as they take in more data.
The expected uptick in CNP fraud after the EMV migration “reinforces the need for a layered approach to security,” according to the Smart Card Alliance, a multi-industry association of payments experts. It’s the perfect time to look at your options for mitigating risk, so you can focus on what matters: building your business.